Issue

This article describes the recommended settings for Symantec Endpoint Protection (SEP) 11, and how to set them using Symantec Endpoint Protection Manager (SEPM).

Cause

The default behavior for Symantec Endpoint Protection does not fully utilize the protection offered by Symantec Endpoint Protection and can be modified to more aggressively scan and protect in the cases of a detection. This document explains the ways in which you can modify the relevant settings.

Solution

Recommended scan settings

Antivirus Security Setting

Default Setting

High Security Policy

Security Response Recommendation

Lock settings

Some

Some

All

Remediation: terminate processes

No

No

Yes

Remediation: terminate services

No

No

Yes

Auto-Protect action taken for security risks

Quarantine/Log

Quarantine/Log

Quarantine/Delete

Network Auto-Protect

Disabled

Enabled

Enabled

Bloodhound Level

Default (2)

Default (2)

Default (3)

SEP Startup

System Start

System Start

System Start

Auto-Protect Scan

Modify and access

Modify and access

Modify and access

To implement the recommended settings:

In the Symantec Endpoint Protection Manager, click the Policies tab .

Right-click the policy you want to modify, and click Edit.

Once in the Antivirus and Antispyware policy, select File System Auto-Protect from the list on the left.

Click the Scan Details tab

Lock all options. Any option not locked is configurable at the client.

Check Network Settings to enable network scanning.

Click Advanced Scanning and Monitoring.

Lock all options.

Check Enable Bloodhound(TM) heuristic virus detection.

Click the Level of protection to use drop-down, and select Maximum.

Click OK.

Click the Actions tab.

Lock all options.

Under Detection, select Security Risks.

Click the First Action drop-down, and select Quarantine risk.

Click the If first action fails drop-down, and select Delete risk.

Check Terminate processes automatically.

Check Stop services automatically.

Click OK.

Recommended Truscan settings

Truscan

Default Setting

Security Response Recommendation

Scan Sensitivity

9/Low

100

Action on Detection

Log

Terminate

Scan Frequency

1:00

00:15

To implement the recommended settings:

In the Symantec Endpoint Protection Manager, click the Policies tab .

Right-click the policy you want to modify, and click Edit.

Once in the Antivirus and Antispyware policy, select TruScan Proactive Threat Scans from the list on the left

Click the Scan Details tab.

Lock the options for the following by clicking the lock icon so that the icon shows a closed lock: Scan for trojans and worms, use defaults defined by Symantec, When a trojan or worm is detected within the sensitivity threshold, Sensitivity.

Uncheck Use defaults defined by Symantec.

Click the When a trojan or worm is detected drop-down, and select Terminate (instead of the default of Log).

Slide the sensitivity slider to the far right. This sets it to 100.

Lock all three options by clicking the lock icon so that the icon shows a closed lock.

Reduce the Scan processes every value to 15 minutes.

Symantec recommends testing any changes made before deploying to production machines as many of the ones suggested in this document have the potential to affect machine and network performance.